Malware Analysis Report

2024-12-07 10:32

Sample ID 241113-w6xlcazqcp
Target c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe
SHA256 c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15d
Tags
discovery evasion persistence trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15d

Threat Level: Shows suspicious behavior

The file c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence trojan

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 18:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 18:32

Reported

2024-11-13 18:34

Platform

win7-20241010-en

Max time kernel

119s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\xplorer\xplorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\xplorer = "C:\\Windows\\xplorer\\xplorer.exe" C:\Windows\SysWOW64\reg.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\xplorer\xplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xplorer\xplorer.exe C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe N/A
File created C:\Windows\xplorer\xplorer.exe C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xplorer\xplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe N/A
N/A N/A C:\Windows\xplorer\xplorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2948 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2948 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2948 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2376 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe C:\Windows\xplorer\xplorer.exe
PID 2376 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe C:\Windows\xplorer\xplorer.exe
PID 2376 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe C:\Windows\xplorer\xplorer.exe
PID 2376 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe C:\Windows\xplorer\xplorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe

"C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUTFN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f

C:\Windows\xplorer\xplorer.exe

"C:\Windows\xplorer\xplorer.exe"

Network

N/A

Files

memory/2376-0-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GUTFN.bat

MD5 4e6e99d38b1264af2b53a68c7cd6d648
SHA1 55ffe17732d1d9c539d702a1311ef9674fe7b3cf
SHA256 168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0
SHA512 bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d

memory/2376-27-0x00000000025A0000-0x00000000025A9000-memory.dmp

\Windows\xplorer\xplorer.exe

MD5 73c8c67ffe951dade675492a7e892bb1
SHA1 ccb21abe1e7fe7283bd616ae191d94a0cf1c6df3
SHA256 b44f720523963ed8b6e048a69292edb85f083df7501d8bc7fd6c2261ae276543
SHA512 a64092293d9a29ae3975d712c09d558e5d99882491b10064e20dada3a499fff68b55459bd39a61099c7af4d5795fc00167e66c339519b25caa6fe803bd3e3d11

memory/2376-41-0x00000000025B0000-0x00000000025B9000-memory.dmp

memory/2376-40-0x00000000025B0000-0x00000000025B9000-memory.dmp

memory/2772-43-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2376-46-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2376-48-0x00000000025A0000-0x00000000025A9000-memory.dmp

memory/2772-49-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 18:32

Reported

2024-11-13 18:34

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\xplorer\xplorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xplorer = "C:\\Windows\\xplorer\\xplorer.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xplorer\xplorer.exe C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe N/A
File created C:\Windows\xplorer\xplorer.exe C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xplorer\xplorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\xplorer\xplorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe N/A
N/A N/A C:\Windows\xplorer\xplorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe

"C:\Users\Admin\AppData\Local\Temp\c33a2833625414c52c1422e80cce883a7ada5cbb97ead2f70fd90a22aa04b15dN.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QVGHE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f

C:\Windows\xplorer\xplorer.exe

"C:\Windows\xplorer\xplorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1184-0-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QVGHE.txt

MD5 4e6e99d38b1264af2b53a68c7cd6d648
SHA1 55ffe17732d1d9c539d702a1311ef9674fe7b3cf
SHA256 168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0
SHA512 bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d

C:\Windows\xplorer\xplorer.exe

MD5 135f052fc0d50e4c0a8e70bfd5d0a6f8
SHA1 a671261a92203782427d195ed8d432d1074d1ce1
SHA256 9e2cb1a0f0d1d9ea6b8e164cf0dd010cc85581edc22070b290b0521bc7959db3
SHA512 66d7d3755f28cb089bbb4c8e594bfba00ef5234c24f90b9d6a881bfd7952ce759e7929a3b6c7d56f68395cfee9bccb4aeeaeb106d84fcecc537767e8f50384c6

memory/4756-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1184-27-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4756-29-0x0000000000400000-0x0000000000409000-memory.dmp